From: ebiederm@xmission.com (Eric W. Biederman)
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: torvalds@transmeta.com (Linus Torvalds),
viro@math.psu.edu (Alexander Viro),
linux-kernel@vger.kernel.org
Subject: Re: [RFC] "Text file busy" when overwriting libraries
Date: 14 Oct 2001 14:48:06 -0600 [thread overview]
Message-ID: <m13d4mq77d.fsf@frodo.biederman.org> (raw)
In-Reply-To: <E15sk4C-0007Be-00@the-village.bc.nu>
In-Reply-To: <E15sk4C-0007Be-00@the-village.bc.nu>
Alan Cox <alan@lxorguk.ukuu.org.uk> writes:
> > My big question is how to correctly define O_EXEC for every
> > architecture. But I would like to know if there are objectionable
> > parts as well.
>
> It looks totally unworkable. Open() has side effects on a large number of
> platforms, and being able to open an exec only file might trigger them
> as well as all sorts of other potential problems where files are
> marked rwx by accident as is very common.
We already can open an exec only file just open("file", 0).
In fact it looks like you can open a file with no permissions at all.
You just can't do anything with it.
All O_EXEC does is stipulate that you must have the exec permission
to the file, and it does cause a side effect. Possibly it should
be broken into open, and then side effect. fcntl(fd,F_DENYWRITE).
My primary observation is that we don't need to manage the DENYWRITE
at the mmap level. The file descriptor level gets the job done with
less code, fewer suprises, fewer races.
> You narrow the DoS vulnerability and add a whole new set of open based
> ones.
You may be write. With the cleanup of the implementation by moving
everything into open (where we implement this for exec), it hadn't
occured to me that I might be opening a different kettle of fish.
> This isnt a problem worth solving. Shared libraries are managed by the
> superuser. The shared library tools already do the right thing. The
> superuser can equally reboot the machine or reformat the disk by accident
> anyway.
Yes the superuser can shoot himself in the foot, and by that argument
I should delete the entire implementation of MAP_DENYWRITE from the
kernel.
It is by no means true that the existing user space tools get it
right. I have multiple shared libraries where the owner has write
permission to them. And I do believe gcc -o foo.so does not do a
unlink/open(O_CREAT) pair. Nor does cp.
As for the superuser being the only one who touches shared libaries.
That is as true as it is that the superuser is the only one who
touches binaries, or scripts.
It is also quite unobvious that you shouldn't write to shared
libraries. If you have looked at how shared libaries are mapped and
you know that they are mapped into memory with mmap(MAP_PRIVATE), and
you understand how mmap works. It is quite obvious why you shouldn't
touch them. There are a lot of users that haven't done that however.
Accidental rwx permissions settings may indeed be a valid argument,
though I think that is more a bug in chmod, than anything else.
Eric
next prev parent reply other threads:[~2001-10-14 20:58 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-10-03 12:49 Security question: "Text file busy" overwriting executables but not shared libraries? Jesse Pollard
2001-10-03 18:06 ` Eric W. Biederman
2001-10-03 23:20 ` Rob Landley
2001-10-04 3:38 ` Eric W. Biederman
2001-10-04 4:19 ` Alexander Viro
2001-10-04 6:15 ` Eric W. Biederman
2001-10-04 8:21 ` CaT
2001-10-04 8:35 ` john slee
2001-10-04 8:45 ` CaT
2001-10-04 13:11 ` Eric W. Biederman
2001-10-04 14:24 ` Kernel size Richard B. Johnson
2001-10-13 20:35 ` Aaron Lehmann
2001-10-04 8:30 ` Security question: "Text file busy" overwriting executables but not shared libraries? Ville Herva
2001-10-04 9:46 ` Erik Andersen
2001-10-04 19:50 ` Security question: "Text file busy" overwriting executables but no Kai Henningsen
2001-10-04 8:53 ` Security question: "Text file busy" overwriting executables but not shared libraries? Andreas Schwab
2001-10-04 13:23 ` Eric W. Biederman
2001-10-04 9:12 ` Bloatware (was Re: Security question: "Text file busy"...) VDA
2001-10-04 5:38 ` Security question: "Text file busy" overwriting executables but not shared libraries? Linus Torvalds
2001-10-04 5:44 ` Alexander Viro
2001-10-04 5:49 ` Linus Torvalds
2001-10-04 15:01 ` Eric W. Biederman
2001-10-04 15:49 ` Linus Torvalds
2001-10-04 16:02 ` Richard Gooch
2001-10-04 16:20 ` Andreas Schwab
2001-10-04 17:19 ` Richard Gooch
2001-10-04 16:11 ` Alexander Viro
2001-10-04 19:28 ` Security question: "Text file busy" overwriting executables but no Kai Henningsen
2001-10-04 17:25 ` Security question: "Text file busy" overwriting executables but not shared libraries? Eric W. Biederman
2001-10-13 14:53 ` Jamie Lokier
2001-10-13 17:13 ` Linus Torvalds
2001-10-13 18:18 ` Rik van Riel
2001-10-13 18:40 ` Pablo Alcaraz
2001-10-13 19:05 ` Jamie Lokier
2001-10-13 18:54 ` Jamie Lokier
2001-10-13 19:23 ` Linus Torvalds
2001-10-13 19:46 ` Jamie Lokier
2001-10-13 21:43 ` Aaron Lehmann
2001-10-13 22:27 ` Eric W. Biederman
2001-10-13 22:50 ` Aaron Lehmann
2001-10-15 11:24 ` Jamie Lokier
2001-10-13 22:19 ` Linus Torvalds
2001-10-14 6:49 ` Eric W. Biederman
2001-10-14 8:17 ` Xavier Bestel
2001-10-14 15:40 ` Linus Torvalds
2001-10-14 18:49 ` Eric W. Biederman
2001-10-15 11:43 ` Jamie Lokier
2001-10-13 22:41 ` Richard Gooch
2001-10-15 11:35 ` Jamie Lokier
2001-10-15 11:51 ` Alexander Viro
2001-10-15 12:29 ` Jamie Lokier
2001-10-13 22:27 ` Linus Torvalds
2001-10-14 12:57 ` Security question: "Text file busy" overwriting executables but no Kai Henningsen
2001-10-14 21:43 ` Security question: "Text file busy" overwriting executables but not shared libraries? Mark H. Wood
2001-10-04 5:53 ` Richard Gooch
2001-10-04 20:39 ` Security question: "Text file busy" overwriting executables but Alan Cox
2001-10-05 16:30 ` Eric W. Biederman
2001-10-05 16:58 ` Linus Torvalds
2001-10-05 17:35 ` Horst von Brand
2001-10-05 17:44 ` Linus Torvalds
2001-10-05 18:51 ` Oliver Xymoron
2001-10-06 19:05 ` Eric W. Biederman
2001-10-14 8:02 ` [RFC] "Text file busy" when overwriting libraries Eric W. Biederman
2001-10-14 12:08 ` Alan Cox
2001-10-14 20:48 ` Eric W. Biederman [this message]
2001-10-15 1:44 ` Alan Cox
2001-10-15 2:06 ` Linus Torvalds
2001-10-15 10:11 ` Eric W. Biederman
2001-10-15 11:54 ` Alan Cox
2001-10-15 11:57 ` Alexander Viro
2001-10-15 12:08 ` Alan Cox
2001-10-15 12:11 ` Alexander Viro
2001-10-04 6:50 ` Security question: "Text file busy" overwriting executables but not shared libraries? George Greer
2001-10-04 12:54 ` John Levon
-- strict thread matches above, loose matches on Subject: below --
2001-10-14 14:50 [RFC] "Text file busy" when overwriting libraries Samium Gromoff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m13d4mq77d.fsf@frodo.biederman.org \
--to=ebiederm@xmission.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@transmeta.com \
--cc=viro@math.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox